Windows privilege escalation: exploit suggester

After finally be able to exploit a machine and getting a limited shell - preferably a meterpeter shell - next step is to escalate your privilege to administrator or system user. In this blog post, I'll demonstrate an example how to find exploits to escalate your privileges when you have a limited shell.

In the following example, I found a Rejetto HTTP File Server running on port 80. This metasploit module gave me a meterpreter shell. Nice!

1

Step 1: Migrate process with meterpreter

The first thing I do after getting your meterpreter shell is securing my access by migrating the process. If the initial exploited service crashes or is terminated by the user, my shell will be lost as well.

Another advantage is that you can migrate from an x86 to an x64 process, opening up more possibilities for privilege escalation. Good to know is that meterpreter will inject in a existing process and will not touch disk and remain undetected by AV.

To migrate, just type PS to see a list of the running processes on your host. Usually I choose a Windows x64 process that the user is unlikely to terminate, in this example I choose conhost.exe. You see that the PID number (Process Identifier of that process is 806.

To migrate Meterpreter to conhost.exe, type:

migrate 806

2
3

Step 2: run Local exploit Suggester (Metasploit)

Now we migrated our process and secured our access, we can start looking for an attack vector to escalate our privileges. Metasploit has a built-in exploit suggestion tool that worked for me very well in the past.

First background your active meterpreter session (CTRL + Z). Good to know is that you can have multiple meterpreter sessions active and you can switch between them.

Next, run the following command:

use post/multi/recon/local_exploit_suggester

For these post type of exploits, you usually need to set your active meterpreter session. To find out your session number, just type sessions after you backgrounded your session and Metasploit will give you a list of the active sessions. In my example, my active Meterpreter session was 2, so I executed the following command to pint the local_exploit_suggester to my background Meterpreter shell:

set session 2

exploit-suggester

Unfortunatly, for some reason the Metasploit exploit suggester gives us nothing.

Step 3: GDSSecurity Windows Exploit Suggester

Fortunatly, there is another exploit suggester available by GDSSecurityon Github.

The cool thing about this script is that you don't need to run it on the host machine. Using a syteminfo output text file, it will compare the patch levles of host against the Microsoft security bulletin database.

First I get back (interact) to my backgrounded shell by typing:

sessions -i 2

Next, I type shell in my meterpreter shell to get a windows cmd shell. I navigate to the Desktop of the logged in user and I save the syteminformation to a file systeminfo.txt by executing the command:

systeminfo > systeminfo.txt

systeminfo

Next I downloaded the systeminfo.txt file from my victim host to my Kali machine.

Now, download the exploit suggester on Github. Open a new terminal and navigate to the folder of the script (in my case Desktop).

First step is downloading the latest Microsoft security bulletin database by executing:

python exploit-suggester.py --update

You'll notice in the screenshot below that the above command created a file 2017-07-29-mssb.xls. To compare the system information from the victim host with the database I've just downloaded:

python exploit-suggester.py --database 2017-07-29-mssb.xls --systeminfo systeminfo.txt

PrtScr-capture_7

Damn, I need to install python-xlrd library. You see, this stuff happens with me aswell.

Anyway, after installing that library, it finally worked out:

exploit-suggest
ms16-032

Keep in mind that this tool shows many false-positives, as it compares all vulnerabilities with the hotfixes. It is key to know what software is actually running on the target host. For example, if there are known IIS or Webdav exploits it will flag them even if IIS or Webdav is not running on the target host. It will

As highlighted in the screenshot above, MS16-032 looks like one that might work.

I'll continue demonstrating the privilege escalation in the next blogpost.